AWS: How To Setup A Site-to-Site VPN (Start to Finish) 2024
Summary
TLDRIn this speedrun tutorial, Techno demonstrates how to set up a site-to-site VPN on AWS without the need for on-premises equipment. The video covers creating VPCs, EC2 instances, and a StrongSwan instance to mimic an on-premises router. It guides through the process of configuring a VPN connection, adjusting route tables for traffic forwarding, and testing connectivity with ICMP pings between AWS and the simulated on-premises network, providing a practical approach to cloud-based network extension.
Takeaways
- 🚀 This is a speedrun tutorial for setting up a site-to-site VPN using AWS, with a focus on quick implementation rather than detailed explanations.
- 🌐 The tutorial involves setting up two VPCs and EC2 instances, with one VPC representing the on-premises site and the other the AWS site.
- 🔐 A StrongSwan EC2 instance is used as the router/firewall for the on-premises site, enabling the connection to AWS.
- 🛠️ The tutorial does not cover the creation of the EC2 instances and VPCs in detail but assumes they are already set up.
- 📋 The process includes creating a customer gateway, virtual private gateway, and site-to-site VPN connection within AWS.
- 📝 Static routes are configured to ensure traffic is directed correctly between the on-premises and AWS sites.
- ⚙️ The tutorial includes configuring StrongSwan on the EC2 instance to establish the VPN connection and handle traffic.
- 🔄 Troubleshooting tips are provided for common errors, such as issues with starting the IPsec service.
- 🖧 The final steps involve verifying the connection by pinging between the AWS and on-premises instances.
- 👍 The video concludes with a successful ping test, confirming the site-to-site VPN setup is working correctly.
Q & A
What is the purpose of this video tutorial?
-The video tutorial aims to demonstrate how to create a site-to-site VPN using AWS in a speedrun format, covering all necessary steps quickly without extensive explanations.
Why does the creator use a VPC as an 'on-prem' device in this demo?
-The creator uses a VPC as an 'on-prem' device because they do not have an actual on-premises device available for testing. This setup simulates a real-world scenario where an on-premises network connects to AWS through a VPN.
What role does the 'strongSwan' EC2 instance play in this setup?
-The 'strongSwan' EC2 instance acts as a router or firewall in the on-premises network, establishing a connection with AWS and serving as the customer gateway for the VPN.
Why does the creator rename VPC 2 to 'on-prem'?
-The creator renames VPC 2 to 'on-prem' to avoid confusion and clearly differentiate between the AWS VPC and the simulated on-premises network.
Why is Amazon Linux 2 used instead of Amazon Linux 3 for the 'strongSwan' instance?
-Amazon Linux 2 is used because Amazon Linux 3 does not support strongSwan, which is required for this demonstration.
What is the purpose of creating a Customer Gateway in AWS?
-The Customer Gateway in AWS identifies the public IP address of the on-premises network (simulated by the strongSwan EC2 instance) to establish the VPN connection between AWS and the on-premises network.
What does it mean when the VPN tunnel status is 'up'?
-When the VPN tunnel status is 'up,' it indicates that the site-to-site VPN connection between the AWS VPC and the on-premises network has been successfully established and is actively routing traffic.
Why is it important to stop the source/destination check on the strongSwan EC2 instance?
-Stopping the source/destination check ensures that the strongSwan EC2 instance can forward traffic between different networks, which is necessary for routing traffic through the VPN.
What is the significance of modifying the route tables in this setup?
-Modifying the route tables ensures that traffic is correctly routed between the AWS VPC and the on-premises network through the VPN, enabling communication between the two networks.
What troubleshooting step does the creator take when the IPsec service fails to start?
-The creator reviews the configuration files for potential typos, re-applies the system control commands, and checks the configurations step-by-step to resolve the issue, which ultimately allows the IPsec service to start successfully.
Outlines
🚀 Introduction to Setting Up a Site-to-Site VPN
This paragraph introduces the video's purpose, which is to demonstrate the quick setup of a site-to-site VPN connection using AWS EC2 instances. The presenter, Techno, mentions that a detailed explanation of the concepts and AWS configurations is available in a previous video, and this 'speedrun edition' will focus on the practical steps. The presenter outlines the process of setting up two Virtual Private Clouds (VPCs) and EC2 instances, one acting as a router or firewall to simulate an on-premises environment. The setup is entirely cloud-based due to the lack of physical on-premises equipment.
🛠 Configuring the Site-to-Site VPN Components
The second paragraph delves into the technical setup of the VPN connection. It begins with the creation of a customer gateway to define the IP address for the on-premises site, using the public IP of the 'strongSwan' EC2 instance as an example. The presenter then guides through the creation of a virtual private gateway and a site-to-site VPN connection. The process includes configuring the local and remote CIDR blocks, which represent the IP address ranges for the on-premises and AWS VPCs, respectively. Default settings for the tunnel options are used, and the creation of the VPN connection is finalized.
🔄 Troubleshooting and Establishing the VPN Connection
In this paragraph, the presenter encounters an error while attempting to start the IPsec VPN, which leads to a troubleshooting session. The error message indicates a failure to start the Internet Key Exchange protocol. The presenter reviews each configuration step, ensuring there are no typos or misconfigurations. After correcting the issue, which may have been due to a missing 'systemctl' command, the VPN connection is successfully established, and the status is confirmed as 'active and running'. The presenter also discusses the importance of configuring the route tables to ensure proper traffic forwarding between the AWS VPC and the on-premises site.
📶 Testing the VPN Connection with ICMP
The final paragraph focuses on testing the VPN connection by sending ICMP traffic between the AWS and on-premises EC2 instances. The presenter explains the need to update the route tables and security group rules to allow ICMP traffic. A ping test is performed from the AWS EC2 instance to the on-premises network, demonstrating successful connectivity. The presenter also ensures that return traffic is correctly routed back through the VPN by adjusting the route tables on the on-premises side. The video concludes with a recap of the steps taken and a reminder to the viewers to subscribe and comment if they found the content helpful.
Mindmap
Keywords
💡Site-to-Site VPN
💡AWS EC2
💡VPC
💡OpenVPN
💡Customer Gateway
💡Virtual Private Gateway
💡Route Table
💡Security Group
💡Network ACL
💡ICMP
Highlights
Introduction to the video: Setting up a site-to-site VPN in a speedrun edition, focusing on AWS cloud setup.
Quick note: For in-depth explanations, refer to the presenter's other video that covers the detailed reasoning behind each step.
Preparation: Two VPCs and EC2 instances are already created, simulating an on-premises setup using AWS.
Explanation: VPC 2 is treated as the on-premises network, with one EC2 instance acting as the router or firewall.
Setting up: Launching the necessary EC2 instances and creating a strongSwan EC2 instance to act as a VPN router, due to the absence of physical hardware.
Key Configuration: Use of Amazon Linux 2 to set up the strongSwan instance, as Amazon Linux 3 does not support strongSwan.
Important step: Ensure that the EC2 instance for strongSwan has a public IP address and is placed in a public subnet for SSH access.
Customer Gateway: Creation of a customer gateway in AWS, using the public IP of the strongSwan EC2 instance to simulate an on-premises device.
Virtual Private Gateway: Setting up a virtual private gateway in AWS and attaching it to the AWS VPC (VPC 1).
VPN Connection: Creation of the site-to-site VPN connection, specifying the static routes for the local and remote CIDR blocks.
Configuration: Editing the strongSwan configuration files on the EC2 instance to establish the VPN connection.
Troubleshooting: Resolving an issue with the IPsec service by rechecking and correcting configuration steps.
Verification: Confirming that the VPN tunnel is up and running by checking the AWS console.
Testing: Sending ICMP (ping) traffic between the AWS VPC and the on-premises VPC to validate the VPN connection.
Conclusion: Final verification of the ping tests and a recap of the entire process, ensuring that the site-to-site VPN is working as intended.
Transcripts
hello everyone my name is techno and
today we're going to create a sight to
sight VPN and this is a speedrun Edition
so if you're looking for an explanation
I already do have a video about that
where I go in depth of why I create
certain things and how it's done on the
AWS side but in this video today I'm
going to show you exactly how to create
a sight to sight VPN and I'll just go
through everything really quickly so
that way you'll be able to see me
testing from 2 AWS ec2 instances but
this is all done on the cloud and not on
Prem because I don't have on- pram
device so with that being said let's go
ahead and begin right off the bat I
already have two vpcs that I already
created and I've already created two ec2
instances over here on VPC 2 or on the
19216801 16 Network this can be
considered your on Prem device so
because bpc2 is going to be acting as
your on Prem device you want to make
sure that one ec2 is considered as your
router or your firewall that connects to
ads yes because in the real world
situation when you have a sight to side
VPN you're going to have a router which
has a public IP address that will be
able to connect with AWS so I'll go
ahead and show you exactly what I'm
doing right now on what should already
be configured so as you can see I
already have vpc1 and VPC 2 so I'll just
rename this for Simplicity so VPC 2-on
Prem so that way we don't get confused
between vpc1 and VPC 2 um likewise for
vpc1 I'm just going to call this vpc1 D
AWS so that way we know this is the AWS
site and then bpc2 is your on-prem site
of course if you do have an on-prem site
you don't need to create VPC number two
now the next step is to go to your ec2
instance and create all the ec2
instances that you'll want to establish
connection or connectivity with each
other now keep in mind that these two
ec2 instances ec21 and ec2 have already
been created so I'm not going to go
through the steps on creating ec2s and
whatnot if you haven't already just go
ahead and check out my other video for
an in-depth explanation as I said so I'm
just going to go ahead and launch these
instances or bring them up so I'm going
to click on start instances and the only
thing that I be creating now is your
router or your firewall which is in this
case a strong Swan ec2 instance we can
go ahead and call this strong
Swan scroll down and go to Amazon Amazon
Linux 2 because Amazon Linux 3 does not
support strong SW anymore remember that
this is just for demo purposes I don't
have a Cisco ASA nor do I have like a
Pao Alto router for testing purposes so
this is why we're going with strong Swan
since it's free so we can go ahead and
click on key pair I already have a key
pair already if you don't go ahead and
create one right over here was this
create new pair network settings we're
going to go on VPC number two which is
your on Prem IP address or on Prem
site subnet should be in a public subnet
so we can SSH into it as far as Security
Group I already have one in place that
allows SSH as well as
icmp and one more thing is whenever you
create this ec2 instance make sure that
it has a public IP
address so over here where it says Auto
assign public IP click on enable and
you're good to go and launch this ec2 so
going back to my diagram you should
already have three ec2 instances created
one on your AWS AWS VPC and two of them
on your om Prem VPC we're going to go on
the left hand side where this customer
Gateway and create a customer Gateway
this customer Gateway is so that ad ofs
knows what the IP address is for your on
Prem site so if we go back to this
strong Swan ec2 instance that we created
you'll notice that the public IP address
is this
100410 19 IP address so we go back to
the customer Gateway tab
type in strong Swan or any kind of
nameing convention so that way you know
that this is your on Prem router and
then paste the IP address and we can
ignore the certificate Arn and
everything else and create this customer
Gateway same thing on the left hand side
go down to Virtual private Gateway click
on that create a virtual private Gateway
and call this
vpg or anything you'd like to call it so
on the top right corner of your screen
you can click on attach to
VPC and we want to attach it to your VPC
D1 AWS because in a real world scenario
your virtual private Gateway can only
connect to one VPC in this case we want
the AWS VPC to be connected which is VPC
number one so once that's attaching the
last thing that we can do is create
sight to sight VPN so on the left hand
side again right below virtual private
Gateway click on sight to sight VPN
connection go to the top right and
create your VPN connection call this
site to site
dvpn or anything you'd like to call it
click on your virtual private Gateway
that was created customer Gateway same
thing the one that we just created in
this demonstration I'll show you how to
create a static side to side VPN and sub
Dynamic static prefix we we're going to
just leave it as is for now the local
and remote cider so the local cider
would be from your on-prem device and if
we look back at this diagram it should
be the 192168 IP address range so on
this local CER you can go and type in
192.168.0.0 sl16 you could also leave
Squad zeros but if we want to imagine as
if this was a real world situation it's
more ideal to have your on Prime IP
address range in this diagram it's the
10.0.0.0 sl16
network okay tunnel one and tunnel 2
options I'm just going to go ahead and
leave it as default I'm not going to
make any changes to it lastly just click
on create VPN
connection so we're almost there we
created a sight toight VPN we already
know that it's attaching to the VPC
which is VPC number one or the AWS
VPC and over here we can see that this
strong swan ec2 has been
created now keep in mind that when you
click on the strong Swan ec2 you should
go onto action networking change source
in destination check and click on the
check box for stop the reason why we
want it to stop is so that if traffic is
heading towards any ec2 instance that's
not the strong Spa device packets will
not automatically get dropped and it
will just forward it to the next
destination the next step is to connect
to the strong SW ec2 instance click on
connect and if you see this bird icon
that means you successfully connected to
your ec2 keep in mind that you need to
allow SSH onto your security group and
make sure that your network ACL is quad
zeros for both inbound and outbound
rules so now that we can confirm and
connect to this ec2 instance or the
strong Swan ec2 instance which is
pretending to be your on Prem customer
Gateway device the last thing that we
need to do is configure this ec2 so that
way it's configured to use strong spawn
and we can go ahead and establish that
side to side bpn connection so go back
to your side to set VPN click on
download configuration scroll down here
this is future Brandon I just want to
give a heads up that you should be using
open Swan instead of strong Swan now
that we've logged into our ec2 instance
we're going to go ahead and start
configuring according to this file so
we're going to go ahead and click on
pseudo or type in pseudo Su go to system
CTL com so pseudo Nano paste and then
hit enter copy all these three lines I
know that down here already has it but
go ahead and just delete it for safety
measures and then paste everything
everything as needed contrl x y and
enter and then it says to apply changes
by typing in system
c-p and after step one I did forget to
do one important step which was to
install op one so we can go ahead and
type in pseudo yum install open
Swan hit y for
yes
okay now that we're done we can go ahead
and start following step two or step
three now so open up this IP sec.com
contrl C pseudo
Nano paste after opening up this file we
can go ahead and copy this line over
here paste it and then we're going to
remove this hashtag or pound sign crl X
Y enter now we have to create a new file
file aws.com so contrl C pseudo Nano
same thing again paste enter and then
we're going to go ahead and type in the
following values so after we open up
this file one thing that you should
modify on the notepad is to go over here
where it says left subnet which is your
local network local meaning your on Prem
IP which is the
192.168.0.0 sl6
IP and right below that is your AWS IP
address which in this case is 10.0.0
sl16 so then go ahead and copy
everything else control
C paste it in
here and then crl X Y enter lastly on
step five we have to create a new file
pseudo Nano paste and enter copy this
line once you paste it click on CR X Y
enter one thing that I did forget to
mention is that over here where it thiss
AU equals ESP go ahead and remove that
and then save everything crl x y for yes
and enter okay so now that this is
established for tunnel one if you want
to do the same on Tunnel 2 you're more
than welcome to do so just do the same
exact thing for tunnel one except do it
for tunnel 2 lastly we need to go ahead
and start our SAT toite VPN by typing in
pseudo system CTL start IP SEC okay so
this is our first error that we've
encountered where it says fail to start
internet key exchange protocol so I'm
going to go ahead and recheck every
single step that I made because I
probably did make a typo of some sort I
might have not noticed it we're going to
go from step five all the way down to
step uh step one and see what happened
or what's the issue not sure if these uh
these spaces make a difference but I'm
just going to go ahead and contrl
X enter and then lastly step two says
system
c-p now I'm going to go ahead and start
the IP SEC
again and that did the trick I don't
know if it's because I forgot to put in
the the system c-p but I just went
through step five and went backwards to
make sure I didn't make any typos and
repasted everything so now if I go ahead
and type in
pseudo system CTL status IP SEC it
should now say active and running if we
go ahead and go to the S to set VPN and
refresh the
page it now says available available
just means that the side to side VPN is
created it's not modifying it's not
getting deleted that's not the main
focus the main focus is on Tunnel one so
I'm going to go ahead and minimize this
tab click on the side to side VPN tunnel
details right now it shows us down but
I'm pretty sure if we wait for a little
bit it's going to go into the upstate so
if you notice over here we go to ec2
number one networking go to the subnet
ID route table click on this route table
open up this route table go to routes
edit routes so rather than forwarding
traffic to the VPC Pier because this was
done in my previous video instead of
Performing VPC peering this is now going
to be done through a virtual private
Gateway in this case click on Virtual
private Gateway and over here this is
the virtual private Gateway that we
created at the beginning of this video
and then click on Save changes so right
now we just created a static route that
forwards or forces traffic from your AWS
VPC number one to forward traffic over
to VPC number two or your arm Prem site
let's go ahead and double check our set
to set VPN and check on Tunnel one to
see if it actually came
up so over here if we refresh the page
one more time click on side to side VPN
tunnel details look at that it says
tunnel one is up so now that we created
the site to sight VPN the last thing
that we're doing is sending traffic so
for Simplicity Reasons I'm just sending
icmp traffic so earlier we already know
that ec2 instance number one should now
know how to forward traffic over to the
S to side VPN but on the return traffic
we need to make sure that the ec2
instances know how to forward traffic
from a specific ec2 instance out to the
sight to sight VPN because in a because
on your arm Prem side of course you're
going to send traffic to your firewall
if we go ahead and go to ec2 instance
number two go to networking click on the
subnet ID and then go onto the route
table edit this route table click on
routes so right now we have a VPC Pier
but I don't want that VPC Pier to be
there because that would defeat the
whole purpose of a set to set VPN so
we're going to go ahead and eliminate
this and put in instance so after you
copy the open Swan ec2 instance you can
go ahead and click over here and make
sure that this says well right now it
says strong Swan on the the name we are
going to go ahead and go on to ec2
instance number two Security Group look
at the Ingress Rule and allow icmp
because in my previous video I removed
it but I forgot to add it back in so
click on all icmp ipv4 from anywhere of
course you don't want it from anywhere
you want this specifically from your arm
pram or AWS IP address
range but for demo purposes of course
I'm just going to go ahead and put it as
quad zeros let's go ahead and recap and
discuss what we've done so far so as of
right now we have three ec2 instance
that were created we have ec2 instance
number one number two and this one
called op Swan VPC we already know that
a s to side VPN was created we
configured open Swan to establish that
sight toight VPN connection with the AWS
VPC number one so all we're doing now is
making sure that the route tables on VPC
number one is forwarding to a virtual
private Gateway and on VPC number two
we're forwarding traffic to the ec2
instance the open Swan ec2 instance so
this means that anytime traffic should
be going out to the set to set VPN
traffic should be going to the open Swan
ec2 and by by creating bpc2 we've been
able to create or replicate a arm Prem
so now the last step is to send icmp
packets keep in mind that your Security
Group should already be allowing for
Ingress and egress for icmp so if you
don't have it already go ahead and do
that now so to make sure that we are now
establishing this icmp test we're going
to go on to ec2 instance number
one this is your AWS ec2 by the way so
pretend as if you want to connect from
AWS to your on Prem we're going to go go
ahead and copy the ec2 instance private
IP address and this is in your on Prem
site by the way so the 192168 network
ping and now you'll notice that traffic
is now forwarding quick pause this is a
ping test from the ec2 instance number
two to the op one ec2 instance okay so
for the last step over here if you click
on static route this is a side to side
VPN where it's using static routing so
you want to make sure that you click on
static routes and you put in the on Prem
or the VPC number two to IP address
range and place it over here and then
click on Save
changes so once you go ahead and do that
I'm just going to go ahead and start
pinging the on Prem
device so copy this IP address paste
it and hit enter and it looks like we
can ping ec2 number two or the on-prem
site and same thing again we're just
going to go ahead and ping from the on
Prem site over to the ec2 instance
number one
so once we go ahead and paste
that we can
confirm we can go ahead and
confirm that the icmp Ping is
working and that is how you create your
sight to sight VPN speedrun Edition I
hope this information was helpful to you
because I know that in my previous video
I didn't really show my final test
results basically at the very end just
like what you saw at the static route I
just forgot got to add in that static
route and I didn't show it because I
deleted my ec2 instances at the time I
created that video but now that I've go
gone ahead and done the same exact thing
on this video you should now be able to
create that side to side VPN as well as
understand how to Ping from AWS to AWS
even if you don't have an on Prem site
to actually use I hope my video was
helpful to you if you found it helpful
like subscribe and comment on my video
and I'll see you in my next one
bye
تصفح المزيد من مقاطع الفيديو ذات الصلة
AWS ALB (Application Load Balancer) - Step By Step Tutorial (Part -9)
How To: Custom Domain For EC2 Web Server (3 Min) | AWS Route 53 | Using A DNS Record In Hosted Zone
How To: Route 53 Health Checks (4 Min) | AWS | Monitor Health & Performance Of Your Web Application
AWS CodePipeline tutorial | Build a CI/CD Pipeline on AWS
How to connect EC2 instance over SSH using Windows and Mac? | Visual Explanations
Stratix 5800 Port Mirroring
5.0 / 5 (0 votes)